PT-2026-40869 · WordPress · The Plus Addons For Elementor

Daroo

·

Published

2026-05-14

·

Updated

2026-05-14

·

CVE-2026-5243

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions The Plus Addons for Elementor versions prior to 6.4.12
Description Stored cross-site scripting is possible due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts via the menu hover click parameter of the Navigation Menu Lite widget. These scripts execute whenever a user accesses an affected page.
Recommendations Update to a version later than 6.4.11. As a temporary workaround, restrict access to the Navigation Menu Lite widget or avoid using the menu hover click parameter until the update is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-5243

Affected Products

The Plus Addons For Elementor